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The idea of automatic synthesis of reactive programs starting from temporal logic (LTL) specifica- 
tions is quite old, but was commonly thought to be infeasible due to the known double exponential 
complexity of the problem. However, new ideas have recently renewed the interest in LTL synthesis: 
One major new contribution in this area is the recent work of Piterman et al. who showed how poly- 
nomial time synthesis can be achieved for a large class of LTL specifications that is expressive enough 
to cover many practical examples. These LTL specifications are equivalent to co-automata having a 
so-called GR(1) acceptance condition. This approach has been used to automatically synthesize im- 
plementations of real-world applications. To this end, manually written deterministic co-automata 
having GR(1) conditions were used instead of the original LTL specifications. However, manually 
generating deterministic monitors is, of course, a hard and error-prone task. In this paper, we there- 
fore present algorithms to automatically translate specifications of a remarkable large fragment of 
LTL to deterministic monitors having a GR(1) acceptance condition so that the synthesis algorithms 
can start with more readable LTL specifications. 

1 Introduction 

In the last decades, the influence of computer systems on our everyday life has been constantly growing. 
As computer systems enter more and more safety-critical areas, their correctness is essentially important 
to avoid malfunctioning systems. Thus, one of the main challenges in computer science is the design 
of provably correct systems. Many of these safety-critical computer systems are reactive embedded 
systems. These are non-terminating systems that interact with their environments during their infinite 
computations. Typically, concurrency and infinite computations with respect to the environment make it 
difficult to analyze and design such systems correctly. 

There are currently two main approaches to the design of provably correct reactive systems: In the 
first approach, called formal verification, one checks that a manually written implementation satisfies 
a given specification that is typically formulated in the temporal logic LTL ETl l9l. In the second ap- 
proach, called LTL synthesis, a provably correct implementation is automatically derived from the given 
LTL specification. While formal verification is nowadays even routinely used in safety-critical system 
designs, LTL synthesis is still immature. Of course, the double exponential complexity of LTL synthe- 
sis compared to the single exponential one of LTL model checking is one reason for this situation. We 
believe, however, that the applicability of tools based on both methods can be significantly improved by 
better data structures and algorithms. 

For example, a major breakthrough in formal verification has been achieved by symbolic represen- 
tations of states and transitions with propositional formulas which became known as symbolic model 
checking [7]. With the advent of these succinct data structures and efficient decision procedures for 
propositional formulas, it has become possible to verify complex systems. In a similar way, new meth- 
ods for SAT checking and SMT solvers opened the way to verify even larger systems. 
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It is natural to try to make use of such data structures and algorithms also for LTL synthesis. However, 
this is not directly possible, since the currently available LTL synthesis procedures consist of two steps: 
The first step is the translation of the LTL specification to an equivalent w-automaton. The usual trans- 
lation procedures generate a nondeterministic automaton that can be directly used for symbolic model 
checking. However, nondeterministic automata can, in general, not be used for LTL synthesis. Even 
though there are pseudo-deterministic automata like the good-for-games automata that can still be used 
for LTL synthesis, the second step usually consists of a determinization of the obtained automata (since 
deterministic automata can be definitely used without further restrictions). The problem is, however, 
that determinization is considerably more complex for G)-automata than for automata on finite words. In 
particular, a major drawback of the currently known determinization procedures is their explicit repre- 
sentation of the automata that does not make use of symbolic data structures. Since a translation from 
LTL to deterministic automata may lead to automata having a double exponential size in terms of the 
length of the formula, explicit state space representations are limited to handle very small LTL formulas. 

One possibility to overcome the complexity problem of LTL synthesis is to consider restricted classes 
of LTL. For example, fflO consider subsets of LTL to obtain deterministic automata with less than 
double exponential size. Wallmeier et al. E71l developed a synthesis algorithm to synthesize request- 
response specifications which are of the form G(<p,- — > F !//;•) for multiple i which leads to a synthesis 
procedure with only exponential complexity. Piterman et. al proposed in ll20l an approach to synthesize 
generalized reactivity formulas with rank 1 (abbreviated as GR(1) formulas), i. e. formulas of the form 
(A£Lo GF<p,) — > (AjloGF<P/). Their algorithm runs in time K 3 where K is the size of the state space 
of the design. If a collection <J>, of LTL formulas representing assumptions on the environment, and a 
collection *P ; of formulas representing conclusions for the system, can all be represented by deterministic 
Biichi automata, this approach can be used to obtain a synthesis procedure for the entire LTL specification 

(Af=o^-H (Af=o*;)- 

The work reported in GUI has been extensively used. Its feasibility was demonstrated in ||4j |5j ITTi 
which considers ARM's Advance Micro-System Bus Architecture as well as a case study of a generalized 
buffer example included in IBM's RuleBase system. In those case studies, an implementation realizing 
the given formal specification has been derived and has been afterwards converted to a circuit. In fact, 
those case studies have been the first real-life blocks that have been automatically synthesized from 
high-level temporal logic specifications. Further applications include usage in the context of production 
of robot systems ll28ll . 

The main drawback of previously published works using the GR(l)-approach of Piterman et al. is 
that the unavoidable determinization step was carried out manually by a human developer, since no tool 
support for the translation of temporal logic formulas to corresponding ft)-automata was available. The 
translation to deterministic automata is considerably hard in general lfT2l and may introduce errors due 
to the human intervention. 

To eliminate this drawback from the GR(l)-approach, we present in this article a remarkable large 
subset of LTL that can be translated to sets of deterministic Biichi automata representing the assumptions 
on the environment and the guarantees a system has to satisfy. To this end, we reconsider the temporal 
logic hierarchy that has been investigated by Chang, Manna, Pnueli, Schneider and others fT5l |8j [I6j 
[171 |22l |23l. This temporal logic hierarchy defines subsets of LTL that correspond to the well-known 
automaton hierarchy, consisting of safety, guarantee/liveness, fairness/response/Biichi, persistence/co- 
Biichi properties as well as their boolean closures (obligation and reactivity properties). Using a syntactic 
characterization of this hierarchy 112211231 . we can, in particular, syntactically determine for given LTL 
formulas whether the formula can be represented by a deterministic Biichi automaton. Hence, given a 
set of formulas representing assumptions and conclusions, we can determine whether they can be used 
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as an input for GR(l)-synthesis. Clearly, since we only check this syntactically, it may be the case that 
we reject formulas that could be used for GR(l)-synthesis, but we never produce an error. In practice, it 
turned out that essentially no GR(1) formula is rejected by our syntactic check. 

The syntactic approximation to determine GR(1) membership is one contribution of this paper. An- 
other one is the observation that the negation of each formula that can be translated to a deterministic 
Biichi automaton can be translated to a non-deterministic co-Buchi automaton. It is well-known that 
non-deterministic co-Buchi automata can be determinized by the Breakpoint construction lfl8l that is 
well-suited for a symbolic implementation Ifl9l l6l. From this co-Buchi automaton, we can easily obtain 
a deterministic Biichi automaton (again via negation, which is trivial for deterministic automata [23]) that 
is equivalent to the original formula. Hence, our second observation leads to a very efficient translation 
procedure for the identified LTL formulas to deterministic Biichi and co-Biichi automata. 

We have implemented this synthesis procedure that (1) syntactically determines whether a formula 
can be represented with a GR(l)-property and (2) applies the mentioned symbolic determinization pro- 
cedure for Biichi/co-Biichi automata. Finally, we apply the GR(l)-synthesis using an existing implemen- 
tation of the GR(1)-Synthesis approach (3). 

2 Preliminaries 

2.1 Linear Temporal Logic LTL 

For a given set of Boolean variables V, we define the set of LTL formulas by the following recursive 
definition: 

Definition 1 (Syntax of Linear Temporal Logic (LTL)) The set of LTL formulas over a set of variables 
V is the smallest set with the following properties: 

• 1,0 € LTL 

• a £ LTL for a £ V 

• boolean operators: ->(p, (p Ay/, (pVyr G LTL if(p,y/£ LTL 

• future temporal operators: Xq>, [<p U yr], [<p B yr] if (p,yr £ LTL 

• past temporal operators: S< (p, %(p, [<p t[ yr], [cp 1b yr] if(p, yr £ LTL 

The semantics of LTL can be given with respect to a path through a structure (e.g. an co-automaton), 
where a path is an infinite word over the alphabet 2 V . 

X(p holds on a path % at position to if (p holds at position to + 1 on the path, [cp U yr] holds at to iff yr 
holds for some position 8 > to and cp holds invariantly for every position t with to < t < 8 i. e. cp holds 
until yr holds. The weak before operator [cp B yr] holds at to iff either cp holds before yr becomes true for 
the first time after to or yr never holds after Jo- 
in addition to the future time temporal operators, there are also the corresponding past time temporal 
operators. These are defined analogously with the only difference that the direction of the flow of time 
is reversed. For example, [<p tj yr] holds on a path at position to iff there is a point of time 8 with 8 < t 
such that yr holds on that path at position 8 and cp holds for all positions t with 8 < t < to- The past time 
correspondence of the next-time operator is called the previous operator: holds on a path at position 
to iff to > and <p holds at position fo — 1- Additionally, there is a weak variant, where X <p holds on a 
path at position to iff to = holds or cp holds at position to — 1. 
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Other operators can be defined in terms of the above ones: 
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For example, [<p U y] is the wea/c m«?/Z operator that can be alternatively defined as [<p U y] := [<p U y] V 
Gy i. e. the event y that is awaited for need not hold in the future. To distinguish weak and strong 
operators, the strong variants of a temporal operator are underlined in this paper (as done above). 

2.2 co-Automata 

Definition 2 (co-Automata ) A co-automaton 21 = (=S,E, over the alphabet E is given by a 

finite set of states £}, a set J" of initial states, a transition relation JxIxJ and an acceptance 
condition s4 : £2 a -)• {0, 1}. 

Given an automaton 21 = (=£?, E, J &/) and an infinite word a = ao,a\, . . . over E. Each infinite 
word /3 = qo,qi, ■ ■ • with §06^ and € 5 (9;, «;) for i > is called a run of a through 21. The run is 
accepting if £/(fi) = 1. We say that 21 accepts a whenever an accepting run of a through 21 exists. 

Using standard terminology, we say that 21 is deterministic, if exactly one initial state exists and for 
each q G J2 and each input a G E there exists exactly one s' £ £? with (5,(7,5') G In that case we 
write 21 = (i?,E,go> 5, jz/) with an initial state qo and a deterministic transition function 5 : £2 x E — > £}. 

In the following, we assume that £2 = 2 V for a set V of state variables. Moreover, we assume sets X 
and Y of input and output variables that form the inputs 3C = 2 X and outputs <3f = 2 Y of the system such 
that £ = if x ^. Having this view, we define a state set to contain exactly those states where the 
prepositional encoding of the state variables V satisfy (p. Thus, we can conveniently define acceptance 
conditions by LTL specifications. 

2.3 Classical Acceptance Conditions 

In the past, several kinds of acceptance conditions have been proposed and their different expressive- 
nesses have been studied in depth. In particular, the following acceptance conditions have been consid- 
ered 051123123. 

• A run is accepted by a safety condition G<p if the run exclusively runs through the set £}<p. 

• A run is accepted by a liveness condition F<p if the run visits at least one state of the set J2<p at least 
once. 

• A run is accepted by a prefi^ condition /\ ( - (G<j3; V Fy) if for all i either the run exclusively runs 
through the set JS^ or visits JS^ at least once. 

'These condititions are also called Staiger- Wagner or obligation conditions. 
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• A run is accepted by a Biichi condition GFip if the run visits at least one state of the set JSy 
infinitely often. 

• A run is accepted by a co-Biichi condition FG<p if the run visits only states of the set J2<p infinitely 
often. 

• Finally, a run is accepted by a Streett (or reactivity) condition /\ i=() Gr (pj V FGi//, if for all i either 
the run visits at least one state from J2 Vi or the run visits only states of the set infinitely often. 

2.4 GR(l)-Specifications for LTL Synthesis 

The task of LTL synthesis is to develop a system that controls the output variables Y so that no matter 
how the environment chooses the input variables X, a LTL specification is satisfied. Thus, instead of 
using one of the classical acceptance conditions, it is more convenient for synthesis to consider spec- 
ifications of the form q> — > y where cp represents assumptions on the environment and y represents 
conclusions/guarantees the system has to satisfy. In particular, Generalized Reactivity (1) acceptance 
H [5] [TT] [201 attracted some interest in the community: here the assumptions and guarantees are all 
Biichi conditions, i. e. we seek a system satisfying the following acceptance condition: 

G*(l):= ^A GF ^ (A GF <7^ (D 

The class of specifications to which the algorithms of @|5j|TT][20l can be applied is much more general 
than the limited form presented in equation [T] The algorithm can be applied to any specification of the 
form (A"=i Wi) ~^ (A;=i Wj) where each <p,-, i//y is specified by a deterministic Biichi automaton. 

Definition 3 ([13 1) Assume we are given n deterministic Biichi automata ^.f,...^i^for the environ- 
ment's assumptions and m deterministic Biichi automata $lf,...$lmfor the system's guarantees with 
31? = (•2f,L,gg )I .,5/ , ,GFp i ) and = (&j,I,,4ftj,8f,GFqj). Then, we define an automaton 2l GR W = 
(=2, E, 8 , qo, as the product of all automata 21? and 21* where the state space is = £}® x • • • x x 
J2f x ••• x J2fj, the transition function is 8((q", . . .qfn),o) = (8"(qf, <j), . . . , 8m(qfn, o)) and the initial 
state is qo = (<7o l > • • • <7o OT )- The acceptance condition stf = (/\? =1 GFp,) — > (A^-Lj GF^-J is a GR(1) 
condition. 

Thus, a run of 2l GS ( 1 ' is accepting if either all sets . are visited infinitely often or at least some set J2 Pi 
is visited only finitely often. 

2.5 Games 

A game <5 = (j2,L,qo,8,£/) is a deterministic ft)-automaton with an input alphabet £ = SIC x W . A 
play of (5 is an infinite sequence of states % = qoq\q2 ■ • • G J2 a where qj + \ = 8(qt, a,) for i > 0. The 
letters a, = (xi,yi) are successively chosen by the players: in each step, the environment first chooses xi, 
and then the system chooses y,. A play % is won by the system if si {%) = 1. Otherwise, the game is won 
by the environment. Note that the environment cannot react to the outputs generated by the system and 
thus acts like a Moore machine. In contrast, the system we would like to synthesize acts like a Mealy 
machine. 

We solve the game, attempting to decide whether the game is winning for the environment or the 
system. If the environment is winning, the specification is unrealizable. If the system is winning, we 
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Figure 1 : (Borel) Hierarchy of co-Automata and Temporal Logic 



synthesize a winning strategy (which is essentially a Mealy automaton) using the algorithms given in 
HE E] [201. 

Previous works regarding the synthesis with respect to GR(l)-synthesis had to manually generate the 
deterministic automata. In this paper, we show how to automatically obtain deterministic Biichi automata 
from a fragment of LTL using the well-known Breakpoint construction. This fragment of LTL is a natural 
fragment of LTL embedded in the well-known temporal-logic hierarchy JT5l l8l [T6l[T7ll22ll23l . 



3 Temporal Logic vs. Automaton Hierarchy 
3.1 The Automaton Hierarchy 

The classical acceptance conditions, i.e., safety, guarantee/liveness, fairness/response/Biichi, persistence/co- 
Biichi properties, define the corresponding automaton classes (N)Det G , (N)Det F , (N)Det GF , and (N)Det FG , 
respectively. Moreover, their boolean closures can be represented by the automaton classes (N)Det Prefix 
and (N)Det Streett whose acceptance conditions have the forms Ay=o Gtyj V Fi//y and Ay=o GF<pj V FGi//j, 
respectively. 

The expressiveness of these classes is illustrated in Figure [T| where ^ ^2 means that for any 
automaton in ^1, there is an equivalent one in ^2. Moreover, we define ^\ « ^2 := ^1 ~ ^2 A ^2 ~ ^1 
and ^1 ^ "^2 '■= ^1 ~ ^2 A ^i^€\ ~ As can be seen, the hierarchy consists of six different classes, 
and each class has a deterministic representative. 



3.2 The Temporal Logic Hierarchy 

In |Hl|22l|23l, corresponding hierarchies for temporal logics have been defined. Following Il22ll23l . we 
define the hierarchy of temporal logic formulas syntactically by the grammar rules of Fig. [2| 

Definition 4 (Temporal Logic Classes) For k € {G, F, Prefix, FG, GF, Streett}, we define the logics 
TL K by the grammars given in Fig. [2] where TL K is the set of formulas that can be derived from the 
nonterminal P K (Vz represents any variable v E Vz). 
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Figure 2: Syntactic Characterizations of the Classes of the Temporal Logic Hierarchy 



Typical safety conditions like Gcp or G [a U b] that state that something bad never happens, are contained 
in TL G . Liveness conditions like F(p are contained in TLp. Finally, fairness conditions like GF(p that de- 
mand that something good infinitely often happens, are contained in TL G p while stabilization/persistence 
properties like FG<p that demand that after a finite interval, nothing bad happens are contained in TLp G . 

3.3 Relating the Temporal Logic and the Automata Hierarchy 

In Il22ll23l several translation procedures are given to translate formulas from TL K to equivalent (NjDet^ 
automata. In particular, the following is an important result: 

Theorem 1 (Temporal Logic and Automaton Hierarchy) Given a formula <!> G TL,o we can construct 
a deterministic (D-automaton %l = (2® , J? ,&,X,£/) of the class Det K in time 0(2'*') with \Q\ <2' <I> ' state 
variables. Therefore, 21 = (2@,^ ,&,X,£/) is a symbolic representation of a deterministic automaton 
with 0(2 2 '*') states. 

The above results are already proved in detail in ll23l . where translation procedures from TLk- to NDet^ 
have been constructed. Moreover, it has been shown in [23] that the subset construction can be used to de- 
terminize the automata that stem from the classes TL G and TLp and that the Miyano-Hayashi breakpoint 
construction is sufficient to determinize the automata that stem from the translation of formulas from 
TLp G and TL G p. Since TLp re fj x and TLs treett are the boolean closures of TL G U TLp and TLp G U TL G p, 
respectively, the remaining results for TLp re fj x and TLgtreett follow from the boolean combinations of 
Detc/Detp and Detp G /Det G F, respectively. 

The final step consists of computing the boolean closure of the acceptance conditions. To this end, 
it is shown in (23] how arbitrary boolean combinations of G<p and F<p with propositional formulas q> 
are translated to equivalent Detp re fj x automata, and analogously, how arbitrary boolean combinations of 
GF<p and FG<p with propositional formulas (p are translated to equivalent Detstreett automata. 

4 A LTL Fragment for GR(1)-Synthesis 

Using the previously mentioned temporal logic hierarchy, we define a fragment of LTL that can be easily 
translated to a set of deterministic Biichi automata for the assumptions and a set of deterministic Biichi 
automata for the guarantees (Figure [3]). 
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Figure 3: A LTL Fragment for GR(1)-Synthesis 
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Figure 4: (Borel) Hierarchy of ft)-Automata and Temporal Logic with GR(1) 



As can be seen, our LTL fragment is naturally embedded in the temporal logic hierarchy. The formu- 
las that syntactically belong to our LTL fragment are those formulas that are derived from the nonterminal 
Pgr(i), thus, these are implications of formulas that are derived from the nonterminals PAssume an d PAssert> 
respectively, which are both conjunctions of TLG F -formulas. 

Concerning the automata hierarchy, we can translate these formulas to automata with a GR(l)-acceptance 
condition, i.e. a generalization of a Streett(l) condition. In it is shown that a GR(l)-condition can 
be equivalently expressed by a Streett(l)-condition, i.e. a Streett condition with only one acceptance 
pair. Hence, we obtain the "enriched" automata hierarchy shown in Figure [4] together with the following 
corollary that easily follows from Theorem [TJ 

Corollary 1 Given a P GR ^yformula of the form <t> = (<pi A ... A <p„) — > A ... A \j/ m ), we can compute 
n deterministic Btichi automata jz^ , . . . and m deterministic BUchi automata s/^ ,.. . &tfy n such that 
&^<Pi (^yij) is initially equivalent to (pi (resp. y/j). Hence the GR( 1 )-automaton obtained from those 
automata according to Definition^is initially equivalent to <J>. 
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5 Experiments 

In our previous work, we had already implemented a toolset Averest [24] whose inputs are programs 
written in the Esterel-like synchronous programming language Quartz [24]. Averest compiles the syn- 
chronous programs to guarded actions which can be used in turn to generate sequential and concurrent 
software, hardware or symbolic transition relations for formal verification. Specifications can be given 
in various temporal logics and the ii -calculus. Averest provides a lot of translations from temporal logic 
to either co-automata or directly to the /^-calculus (see [23] for these translations). 

For this paper, we implemented an additional tool Quartz2Marduk that takes as input a set of LTL 
formulas that represent assumptions and assertions/guarantees of a GR(1) specification (see example 
shown in Figure [5]). We then check whether these specifications belong to the class that can be used 
for GR(l)-synthesis. If so, we automatically generate deterministic automata that are equivalent to the 
specification. The automata are automatically minimized using a form of delayed simulation [10] and 
are afterwards used to generate a file as input to the MardulQtool Q. Marduk is a re-implementation of 
Anzu [11] with some new features. It is basically a BDD-based implementation of the algorithm given 
in||20l. 

Included with Marduk came two case studies that are described in |4j[5j[IIl- The first case study is 
the GenBuf example that is used asa tutorial in IBMs RuleBase system. The second example is ARM's 
Advanced Microcontroller Bus Architecture (AMBA ) which defines the Advanced High performance Bus 
(AHB), an on-chip communication standard that connects devices like processor cores, caches and DMA 
arbiters. 

In EHUHIl temporal logic specifications for those case studies are given along with some hints how 
deterministic automata for these specifications can be manually obtained. Marduk came with an input 
file that already contained those manually generated deterministic automata. In our tool, all we had to do 
is to simply write down the temporal logic specifications given in [01 [5] [HI and compile it to a Marduk 
input file. 

After having compiled the Marduk input files, we ran Marduk with dynamic variable ordering en- 
abled, leaving the other options untouched. The results of our experiments is given in table [6] The first 
column given there is the name of the case study, the second column is the time (in seconds) our tool 
needed to perform determinization. The third column lists the number of state variables that where gen- 
erated by our tool and the manual generated deterministic automata.The next column lists the number 
of BDD Nodes for the generated strategy. Finally, the last column lists the runtime of Marduk for the 
automatically generated automata and the respective time for the manually generated automata. In the 
table, TO means that the synthesis procedure could not be finished within 50000 second^] 

6 Discussion 

The GR(l)-approach is one of the most successful approaches to LTL synthesis today EHUQjiJ that 
has already found applications apart from its primary target IT281 . One interesting question regarding 
the GR(l)-synthesis approach is its good algorithmic behavior of having a cubic runtime despite the 
fact that many specifications can be rewritten to a deterministic automaton having a GR(l)-acceptance 

2 Actually, our current implementation generates an Anzu [ 1 1 1 file and we use a tool included with Marduk to translate this 
Anzu file to a Marduk file. 

3 We can not satisfactorily explain why the synthesis for the AMBA model needed more time for 6 masters than for 7 masters 
using our determinization procedure. However, the same holds for the manually generated automata where this observation can 
be done for 8 respectively for 9 masters. However, a similar observation was also reported in |5 1. 
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macro NO - 4; 

module GenBijfCbool[NC)+l] ?BtoS_Ack, bool[Z] TBtoOea, 

bool[NO+l] I.StpBJtea, bool[2] IRtpBjickJ) { 

} satisfies { 

spec_l: assert 

G CSto0.eg,[i] -> BtoS_Ack[i])); 
spec_Z: assert 

A CforMI(i=0- NO) 

G C LkoOeaCi] & * JipBJRleaJi] -> X !BtoS_Ack[i];»; 
spec_3: assert 

G OtoOejiEi] & ! BtoS_Ack[i] -> X 5^JSUBSflCi])>; 
spec_4: assert 

a CfprMICi=0- 

G CBtoS_Ack[i] -> X !5toBJReg[i])); 

1 



Figure 5: An Example Quartz File with a GR(1) Specification having only Assertions 

condition. This question has been answered in [2] where it is shown that in fact an automaton with 
GR(l)-acceptance condition is equivalent to a Streett automaton having only one acceptance pair. 

In this article, we gave the corresponding temporal logic view: We presented a fragment of LTL that is 
'naturally' embedded in the temporal logic hierarchy and that can be easily translated to a corresponding 
deterministic GR(l)-automaton. We have implemented a tool that is able to translate any formula from 
this fragment to a corresponding deterministic GR(l)-automaton. This is a useful improvement in the 
expressivity and usage of the GR(l)-approach: instead of having the need to generate deterministic 
automata manually, the input to our tool is a more readable LTL formula. 

However, this higher expressivity comes to a cost: Not too surprisingly, running Marduk on the man- 
ually generated automata took a significant smaller amount of time than on the automatically generated 
automata and moreover, generated smaller BDDs for the strategies. However, the manually generated 
automata have undergone heavy (hand-crafted) minimization step^jand hence we expect that further im- 
provements on the determinization or the minimization step of our tool could also significantly improve 
our results. 
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Figure 6: Experimental Results 
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